The NSA won’t admit how dumb it is
The Obama administration’s claim that the National Security Agency is not spying on Americans rests on a fundamental assertion: That the intelligence agency is so good at distinguishing between innocent people and evildoers, and so tightly overseen by Congress and the courts, that it doesn’t routinely collect the communications of Americans en masse.
We now know that’s not true. And we shouldn’t be surprised. The question is, why won’t the NSA admit it?
The Washington Post last week released a classified audit of NSA’s intelligence-gathering systems, showing they are beset by human error, fooled by moving targets and rely on so many different databases that NSA employees can’t keep tabs on all of them.
It was previously reported that the NSA had unintentionally collected the communications of Americans, in violation of court orders, as it swept up electronic signals in foreign countries. But officials portrayed those mistakes as limited, swiftly corrected, and not affecting that many people. Wrong.
One reason the NSA has been able to gather so much power is that it has built a reputation for super-smarts and hyper-competence. The NSA’s hackers could penetrate any network. Their mathematicians could unravel any equation. Their cryptologists could crack any cipher. That reputation has survived billion-dollar boondoggles. Whether it can outlast these latest revelations is an open question.
The Post found that the NSA “has broken privacy rules or overstepped its legal authorities thousands of times each year since Congress granted the agency broad new powers in 2008 . . .” That’s the year NSA’s global surveillance system went into hyper-drive. The agency was granted unprecedented authority to monitor communications without individual warrants and to surveil whole categories of people and communications.
Most of the violations affecting Americans’ information were the result what the agency calls “incidental collection.” So how many Americans were caught up in the NSA’s surveillance nets as they were dragged across supposedly foreign targets? Unclear. But the short answer is: lots.
In one instance, a programming glitch collected a “large number” of calls from Washington, D.C., instead of the intended targets in Egypt, according to the audit. Somehow, the area code 202 was keyed instead of 20 (the country code for Egypt.) The NSA’s surveillance architecture was undone by a typo.
The audit reveals a recurring problem with human error in the operations of global surveillance and shows what a messy business it can be. In the first quarter of 2012, 123 incidents of non-compliance with the rules, 63 percent of those examined, were attributed to human error. These included typographical errors, inaccurate or overbroad search queries, and “inaccurate or insufficient research information and/or workload issues.”
Analysts needed more “complete and consistent” information about their targets to avoid errors, the audit found. This suggests that while the NSA’s collection systems are dipping into data streams, the analysts aren’t always equipped to determine who is and isn’t a legitimate target.
The NSA’s systems also have problems knowing when a target is on the move and possibly has entered the United States. As recently as 2012, NSA was not always able to know when targets using a mobile phone had crossed a U.S. border.
A problem discovered last year, which appears in the report under the heading “Significant Incidents of Non-Compliance,” helps illustrate how NSA is collecting so much information that it can lose track of it and store it in places where it shouldn’t be. In February 2012, the NSA found 3,032 “files containing call detail records” on a server. A call detail record, or CDR, is analogous to a phone bill. It shows who was called, when and for how long. This is metadata, like what’s collected today on all phone calls in the United States.
It’s not clear how many CDRs were in each of those files. But they were stored on the server for more than five years, past the cut off point at which the information is supposed to be destroyed, pursuant to NSA rules that are meant to protect the privacy of Americans. How the records got there is a mystery. The report says they were “potentially collected” under business records orders, which are authorized by the Patriot Act. But that’s not certain.
What is known is that the records were stored with information that shouldn’t have been anywhere near them. It came from the agency’s highly classified Stellar Wind program, which covered the warrantless interception of phone calls and emails (not just their metadata) secretly authorized by President George W. Bush in 2001. Joining the call detail records and the Stellar Wind records was data from yet another program that was unrelated to the two.
Mixing information obtained from different programs, and under different laws or authorizations, is a dangerous practice in the intelligence profession. Information is segregated to restrict and monitor the number of people who have access to it. An analyst cleared to look at call detail records might not be authorized to listen to phone calls intercepted under Stellar Wind. But if it’s all on the same server, he might be able to do just that.
That may have happened in 2011, according to the audit. Some personnel may have been granted access to a cache of information that was recently modified so that they were no longer allowed to look at it. But not all the employees were informed about the change.
Storing different intelligence streams in one place also increases the risk of revealing valuable sources and methods for how it was obtained. It also it makes it easier to steal. (Just ask Edward Snowden.)
The newly released documents affirm something we’ve long known: The NSA gathers large amounts of information on foreigners and U.S. citizens and then tries to separate the wheat from the chaff, with imperfect results.
What members of Congress and the public may find more troubling is that the NSA wasn’t honest about these shortcomings. Officials hid them from the same judges and lawmakers that President Obama recently said were engaged in a rigorous process of checks and balances that keeps electronic spying within the bounds of the law.
Perhaps that system, like the NSA’s data vacuums, could use a tune up.